I have an A/B server setup, where one is active and one is inactive. On deployment the inactive one is shutdown, updated, and brought back up. Then once we verify its working properly, we switch to that server. Because of this, I have two separate directories that contain the public files at different times.
I had the issue where my cert wasn’t updated properly and I got an email about it. Turns out my letsencrypt conf file was set to the inactive server, so it wasn’t writing in the proper place to be able to verify my ownership.
Creating a sym-link to .well-known/acme-challenge would be a pain to implement because updating the server blows away the entire directory and reinstalls and I don’t have any good place in the installer to put in that symlink.
What would solve this for me would be if I could include multiple webroots and have certbot-auto write whatever file it needs to in both/all places so that it can be sure the challenge file will be accessible no matter which server is active at the moment.